b"                     AUDIT REPORT\n\n\n                  Audit of NRC\xe2\x80\x99s Laptop Management\n\n                  OIG-08-A-19        September 30, 2008\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c\x0c\x0c                                                  Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nEXECUTIVE SUMMARY\n\n   BACKGROUND\n\n         The U.S. Nuclear Regulatory Commission (NRC) uses more than\n         1,550 laptop computers in its day-to-day operations. NRC owns,\n         manages, and maintains approximately 85 percent of this laptop\n         inventory, or approximately 1,300 laptops. The Office of Information\n         Services (OIS), Infrastructure and Computer Operation Division\n         (ICOD), is responsible for developing and implementing policies,\n         standards, and configurations to maximize functionality, support,\n         and security for laptops. Within ICOD, the Network Operations and\n         Customer Services Branch is responsible for asset management of\n         laptops. Although OIS has responsibility for issuing policies,\n         standards, and configurations related to agency-owned laptops,\n         individual offices are accountable for the immediate oversight of\n         their assigned laptops, including management and maintenance.\n\n   PURPOSE\n\n         The audit objective was to evaluate the management of laptops\n         including the effectiveness of NRC\xe2\x80\x99s security policies for laptop\n         computers.\n\n   RESULTS IN BRIEF\n\n         The Office of the Inspector General (OIG) identified weaknesses\n         pertaining to the implementation and monitoring of laptop security\n         controls and other issues of concern pertaining to property\n         management practices over agency-owned laptops.\n\n   RECOMMENDATIONS\n\n         This report contains recommendations intended to improve the\n         implementation and monitoring of laptop security controls. A\n         consolidated list of these recommendations appears in Section VI\n         of this report.\n\n   AGENCY COMMENTS\n\n         At a September 23, 2008, exit conference, agency senior managers\n         agreed with the report contents and provided editorial suggestions.\n         This final report incorporates revisions made, where appropriate, as\n         a result of the agency\xe2\x80\x99s suggestions.\n\n\n\n\n                                    i\n\x0c                              Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               ii\n\x0c                                        Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       CTF         Computer Testing Facility\n\n       ICOD        Infrastructure and Computer Operation Division\n\n       ID          identification\n\n       IT          information technology\n\n       LAN         local area network\n\n       MD          Management Directive\n\n       OIG         Office of the Inspector General\n\n       OIS         Office of Information Services\n\n       SPMS        Space and Property Management System\n\n\n\n\n                         iii\n\x0c                              Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nTABLE OF CONTENTS\n\n\n        EXECUTIVE SUMMARY..............................................................i\n\n        ABBREVIATIONS AND ACRONYMS ........................................ iii\n\n        I. BACKGROUND .....................................................................1\n\n        II. PURPOSE .............................................................................3\n\n        III. FINDING ................................................................................4\n\n                    SECURITY CONTROLS NOT ADEQUATE .............................. 4\n\n        IV. OBSERVATIONS...................................................................9\n\n        V. AGENCY COMMENTS ........................................................10\n\n        VI. CONSOLIDATED LIST OF RECOMMENDATIONS ............11\n\n\n        APPENDIX\n\n            SCOPE AND METHODOLOGY...........................................13\n\n\n\n\n                                              v\n\x0c                              Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                               Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nI.   BACKGROUND\n\n               The U.S. Nuclear Regulatory Commission (NRC) uses more than\n               1,550 laptop computers in its day-to-day operations. NRC owns,\n               manages, and maintains approximately 85 percent of this laptop\n               inventory, or approximately 1,300 laptops. The remaining laptops\n               are leased from a commercial vendor, which manages and\n               maintains the machines. This audit report focuses specifically on\n               agency-owned laptops and uses the term \xe2\x80\x9claptops\xe2\x80\x9d to refer to the\n               agency-owned machines.\n\n               The Office of Information Services (OIS), Infrastructure and\n               Computer Operations Division (ICOD), is responsible for the\n               development, integration, implementation, security, management,\n               and support of the agency's information technology (IT)\n               infrastructure, which includes laptops. Within ICOD, the Network\n               Operations and Customer Services Branch is responsible for asset\n               management of laptops.\n\n               A significant percentage of laptops are used by employees who\n               engage in teleworking as part of work-related travel or who partake\n               in the Flexible Workplace Program1 or Special Circumstances\n               Work-At-Home Program.2 Other laptops are used in headquarters,\n               regional, and resident inspector offices and the Technical Training\n               Center as dockable desktops, classified standalone computers, or\n               to support training, testing, software development, forensics, and\n               security scans.\n\n\n\n\n1\n  The Flexible Workplace Program, also known as Flexiplace, allows employees in eligible\npositions to apply for a fixed-schedule telework arrangement. Under Flexiplace, employees may\nwork at home or at an offsite location for up to 3 days per week with approval of their office\ndirector or regional administrator.\n2\n  The Special Circumstances Work-At-Home Program is designed to meet temporary needs\nresulting from conditions of personal incapacitation, personal hardship, or short-term work\nexigencies.\n\n\n                                              1\n\x0c                                                                Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n                               LAPTOPS BY LOCATION\n                                           (Total = 1,332)\n               800\n               700\n               600                                                                    HQ\n     Number of 500                                                                    Region I\n               400                                                                    Region II\n      Laptops 300\n                                                                                      Region III\n               200\n               100                                                                    Region IV\n                 0                                                                    TTC\n                                               Location\n\n\n                Although OIS has responsibility for issuing policies, standards, and\n                configurations related to agency-owned laptops, individual offices\n                are accountable for the immediate oversight of their assigned\n                laptops, including management and maintenance. Individual office\n                oversight of the laptops is a coordinated effort involving the office\n                property custodian, IT coordinator, and laptop user designated on\n                NRC Form 119, Custodial Receipt for Sensitive Property.\n                Specifically, the office property custodian manages and is required\n                to track user assignments within the office and record this\n                information in the agency\xe2\x80\x99s Space and Property Management\n                System (SPMS).3 The office IT coordinator is required to\n                coordinate with the Network Operations and Customer Services\n                Branch regarding issues such as network access, software\n                installation, and computer moves. The IT coordinator also\n                approves office laptop acquisitions. Lastly, the individual to whom\n                the laptop is assigned is responsible for ensuring that the machine\n                is used in accordance with agency and Federal regulations and that\n                the laptop itself and the data stored on it are secure.\n\n\n\n\n3\n  SPMS, previously known as PASS, is a database that contains records for all sensitive\nequipment, regardless of cost, and accountable non-sensitive equipment having an acquisition\ncost of at least $500. OIG recommended in audit report OIG-07-A-14, Audit of NRC's Non-\nCapitalized Property, dated July 12, 2007, to increase the threshold to $1,000, and the agency\nissued guidance to this effect in January 2008.\n\n\n\n                                               2\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n                Individual offices purchase laptops out of their office budgets. The\n                cost of each laptop ranges between $459 and $11,598. The overall\n                total laptop acquisition cost for the agency is estimated to be\n                $2,730,833.4\n\n\n\nII.   PURPOSE\n\n                The audit objective was to evaluate the agency\xe2\x80\x99s management of\n                laptop computers, including the effectiveness of NRC\xe2\x80\x99s security\n                policies for laptops. Appendix A contains information on the audit\n                scope and methodology.\n\n\n\n\n4\n The overall total acquisition cost was calculated using the active agency laptop inventory listing\nprovided in March 2008 by the Office of Administration. The total acquisition cost is a summation\nof the purchase price of each agency-owned laptop as listed on the agency\xe2\x80\x99s active inventory and\ndoes not reflect depreciation values.\n\n\n                                                3\n\x0c                                                                 Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nIII. FINDING\n\n                More than 1,300 agency-owned laptops are tracked in the agency\xe2\x80\x99s\n                Space and Property Management System. After surveying a\n                sample of these laptops, OIG identified opportunities for\n                improvement in the management of these laptops in the area of\n                security controls.\n\n                Addressing these issues will improve the security of NRC\xe2\x80\x99s\n                information infrastructure.\n\n        SECURITY CONTROLS NOT ADEQUATE\n\n                Required security controls over laptops were lacking in\n                headquarters and each of two regional offices where OIG surveyed\n                laptops during this audit. These controls were lacking because the\n                agency has not established clear policies and procedures to\n                implement security requirements.5 As a result, the agency\xe2\x80\x99s\n                laptops are susceptible to viruses and unauthorized use. This\n                could result in the inadvertent release of sensitive NRC information\n                when laptops are connected to the Internet, or it could pose a threat\n                to the secure operation of the agency\xe2\x80\x99s network and information\n                when laptops are connected to the NRC local area network (LAN).\n\n                        Requirements\n\n                Federal guidance pertaining to the security and management of\n                Government computers, including laptops, requires agencies to\n                adopt controls that mitigate the risk inherent in laptop usage.\n                Executive Order 131036 prohibits the use, acquisition, reproduction,\n                distribution, and transmission of computer software that violates\n                applicable copyright law. The Federal Desktop Core Configuration,\n                a mandated security configuration, requires frequent password\n                changes, no saving of login or password information, and restricted\n                administrative rights.7\n\n                Additionally, NRC\xe2\x80\x99s Management Directive and Handbook (MD)\n                12.5, NRC Automated Information Security Program, states that\n                users shall take appropriate precautions to protect the assets\n                (hardware, software, data) provided for their use or to which they\n\n\n5\n  Policies exist for safeguards information and classified laptops, however, they are not easily\nunderstood and cannot be easily implemented.\n6\n  Executive Order 13103, Computer Software Piracy, Effective Date: September 30, 1998.\n7\n  Administrative rights means the user has the ability to install software and change the computer\nconfiguration.\n\n\n                                                4\n\x0c                                                                Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n                have been granted access (e.g., workstations, microcomputers,\n                local area networks, and associated data). Such precautions\n                include that:\n\n                \xe2\x80\xa2   Users should install virus-checking software on all mobile\n                    computers used to access the NRC LAN and download updates\n                    at least weekly so that the virus protection remains current.\n\n                \xe2\x80\xa2   Current operating systems are maintained at the most current\n                    version.\n\n                \xe2\x80\xa2   Systems shall be configured to display a warning banner8 to\n                    users upon first accessing NRC automated information\n                    resources.\n\n                \xe2\x80\xa2   Users shall ensure that the screen-saver password protection\n                    option is selected and the wait time is set to 15 minutes.\n\n                \xe2\x80\xa2   User identifications (ID) must be issued on a one-to-one basis,\n                    and group user IDs are not permitted without special\n                    authorization.\n\n\n                        Inadequate and Inconsistent Security Controls Over\n                        Agency-Owned Laptops\n\n                OIG auditors surveyed 49 laptops physically located at\n                headquarters, two regional offices, and two resident inspector sites\n                to assess their compliance with Federal and agency security\n                requirements.\n\n\n\n\n8\n  A warning banner is information that appears on a computer screen after an individual logs onto\na computer. This warning alerts the user of their rights and responsibilities when using the\ncomputer and warns against the consequences of unauthorized modification, disclosure, or\ndestruction of agency property and sensitive information.\n\n\n                                               5\n\x0c                                                                                                       Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n                         Laptops Missing Security Controls\n                                                                        (Sample = 49)\n                                       40\n       Number of\n                                       30\n      Laptops That\n        Lacked                         20\n        Security\n        Control                        10\n\n                                          0\n                                                                           r\n                                              tio\n                                                  n\n                                                          tem anne                    svr         ord         hts       wa\n                                                                                                                           re\n                                          tec         sys           b            crn          ssw       n rig       oft\n                                     p ro           g          n g          d  s         p a        m i           s\n                                                 in        rni          cte           or          ad            d\n                              v ir\n                                  us        rat        wa                                                 ori\n                                                                                                             ze\n                            d           o pe         o           p rote       l o gin      i cted     t h\n                          te       ted             N         w           ua\n                                                                            l          str          au\n                      tda     tda                       op                          nre          Un\n                    Ou       u                         N           d ivid        U\n                           O                                    in\n                                                           No\n\n                                                                                 Issues\n\n                As the chart shows, the majority of laptops surveyed were not in\n                compliance with Federal and agency-defined security controls. In\n                fact:\n\n                \xe2\x80\xa2           80 percent (39/49) lacked current9 virus protection.\n\n                \xe2\x80\xa2           29 percent (14/49) lacked current operating systems.10\n\n                \xe2\x80\xa2           67 percent (33/49) lacked warning banners.\n\n                \xe2\x80\xa2           67 percent (33/49) lacked password protected screen\n                            savers.\n\n                \xe2\x80\xa2           63 percent (31/49) lacked individual logins and/or\n                            passwords.\n\n                \xe2\x80\xa2           53 percent (26/49) lacked restricted administrative rights.\n\n                \xe2\x80\xa2           18 percent (9/49) had unauthorized11 software downloaded.\n\n9\n  For purposes of this audit, the Office of the Inspector General (OIG) considered virus updates to\nbe current if they were downloaded within 30 days of OIG\xe2\x80\x99s survey. This is a less stringent\nrequirement than that advised by NRC; NRC guidance states that updates should occur on a\nweekly basis.\n10\n   The current operating system is Microsoft Windows XP, Service Pack 2.\n11\n   Unauthorized software is software that was not tested and approved by the Computer Testing\nFacility (CTF). A complete listing of tested software and status is available on the CTF Web site\n(http://nocsb.nrc.gov/).\n\n\n                                                                        6\n\x0c                                                               Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n               These problems reflect a longstanding agency issue. OIG\n               previously reported the inadequacy of security controls over agency\n               laptops in OIG audit report 05-A-18, System Evaluation of Security\n               Controls For Standalone Personal Computers and Laptops,\n               published in September 2005.12 To date, the agency has made\n               little progress in improving security controls over laptops. Five of\n               the eight recommendations in that report are still open.\n\n                       Agency Policies and Procedures Lacking\n\n               Agency laptops are non-compliant with Federal and agency\n               security control requirements because NRC has not yet formalized\n               and communicated an agencywide policy for implementing these\n               requirements.13 Moreover, at headquarters there is limited means\n               to efficiently support the implementation of and adherence to some\n               security control requirements.\n\n               In the absence of a formalized policy, some headquarters program\n               and regional offices have employed their own discretion in applying\n               and monitoring implementation of security controls on laptops. This\n               has promoted inconsistency in the application and monitoring of\n               security controls within the agency because there is no formalized\n               mechanism for assigning users responsibility for implementing\n               security controls on laptops. For example, some offices require\n               laptops be turned in to the IT coordinator at least once a year for\n               updating. Others assume that updating laptops is a user\n               responsibility, and provide each user with a user agreement to be\n               signed before taking possession of the laptop.\n\n               Furthermore, at headquarters, there is only one secure open port\n               available for users to update their laptops with virus protection and\n               operating system patches from the Internet. NRC restricts the\n               number of open ports to address security risks posed to the NRC\n               network. Additionally, laptop users cannot efficiently or effectively\n               perform these updates without adequate training on the process. A\n               protocol is needed for headquarters users to enable them to quickly\n               and easily update the security controls on their laptops.\n\n\n\n\n12\n   OIG-05-A-18 only addressed standalone laptops (laptops that are not configured for\nconnectivity to the NRC LAN).\n13\n   OIG acknowledges that the agency is currently in the process of developing a \xe2\x80\x9cRules of\nBehavior Document,\xe2\x80\x9d which is intended to address security controls such as passwords, virus\nprotection, and software installation. To date, this guidance has not been finalized.\n\n\n                                              7\n\x0c                                          Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n       Impact on Agency Network\n\nBecause a formalized agencywide policy governing the application\nand monitoring of security controls has not yet been implemented,\nagency laptops are not routinely maintained. Consequently, some\nlaptops have inadequate security controls and are therefore\nsusceptible to malware, viruses, and the consequences of\nunauthorized use. This could result in the inadvertent release of\nsensitive NRC information when the laptop is connected to the\nInternet, or it could pose a threat to the secure operation of the\nagency\xe2\x80\x99s network and the information contained therein when\nconnected to the NRC LAN.\n\nAdditionally, non-compliance with Executive Order 13103 subjects\nNRC and its employees and contractors to the consequences of\nunauthorized software use, such as fines or imprisonment.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Develop agencywide policy and procedures regarding the\n   implementation and monitoring of security controls, especially\n   concerning virus protection and operating system updates, for\n   all agency-owned laptop computers.\n\n2. Communicate the policy in recommendation 1 to the agency\n   when initially complete. Send periodic reminders of the policy\n   requirements, as well as detailed instructions on how to fulfill the\n   requirements.\n\n3. Provide mandatory formal training to all IT coordinators and\n   property custodians on how to update security controls on\n   laptops.\n\n4. Develop a process for verifying that all required security controls\n   are implemented on agency-owned laptops.\n\n5. Develop a protocol to facilitate the efficient and routine updating\n   of agency-owned laptops located at headquarters.\n\n\n\n\n                           8\n\x0c                                                                   Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nIV. OBSERVATIONS\n\n                Property Management Observations\n\n                Given the importance of adhering to laptop computer security\n                requirements, it is essential to have a reliable property\n                management program to facilitate monitoring of compliance with\n                agency requirements and industry best practices. During the\n                course of fieldwork, OIG auditors observed issues pertaining to\n                property management practices. OIG is not making formal\n                recommendations to correct these issues; however, these concerns\n                warrant management attention.\n\n                         Inadequate Management of Safeguards Hard Drives\n\n                OIG auditors found no instances of non-compliance with agency\n                requirements regarding hard drives, such as drives that were not\n                locked in a secure container. However, removable safeguards hard\n                drives are not tracked as agency inventory in the agency\xe2\x80\x99s property\n                management system.14 assigned an NRC property tag, or included\n                in the agency\xe2\x80\x99s annual property inventory. Safeguards hard drives\n                are small, portable devices that are used to process and store\n                safeguards information.15 These drives are not tracked as agency\n                inventory because NRC MD 13.1, Property Management, requires\n                that only \xe2\x80\x9caccountable\xe2\x80\x9d16 property be tracked, and the devices do\n                not fit the agency\xe2\x80\x99s definition of \xe2\x80\x9caccountable\xe2\x80\x9d property.\n\n                Consequently, there is the inherent risk of compromising sensitive\n                agency information stored on the safeguards hard drives, especially\n                if the hard drives are inappropriately disposed of at the end of their\n                useful life.\n\n\n\n\n14\n    In this context, the term property management system refers to SPMS only; SPMS 4 is the\nofficial agency system, although other inventory systems do exist.\n15\n   Safeguards information means information not otherwise classified as National Security\nInformation or Restricted Data which specifically identifies a licensee\xe2\x80\x99s or applicant\xe2\x80\x99s detailed\n(1) security measures for the physical protection of special nuclear material, or (2) security\nmeasures for the physical protection and location of certain plant equipment vital to the safety of\nproduction or utilization facilities.\n16\n   Per MD 13.1, accountable property is any equipment, excluding furniture and supplies, that is\ncomplete in itself, is of a durable nature with an expected life of at least 2 years, and does not\nordinarily lose its identity or become a component of another article, and is not consumed in its\nuseful life.\n\n\n                                                 9\n\x0c                                                Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n             Inventory Practices Inadequate at Resident Sites and\n             Agreement States\n\n       Despite the MD 13.1 requirement that accountable sensitive\n       property be physically inventoried every 2 years, laptops located in\n       resident inspector offices and Agreement States are not physically\n       inspected by regional personnel during the required biennial\n       physical inventory. Instead, verification is obtained verbally when\n       the designated property custodian calls to confirm a laptop\xe2\x80\x99s\n       existence. As a result, laptops could be missing for an extended\n       period before being noticed.\n\n             NRC Form 119 Incorrectly Completed\n\n       MD 13.1 requires that NRC Form 119, Custodial Receipt for\n       Sensitive Personal Property, be completed for all sensitive property\n       to document the assignment and custody of the property. When\n       surveying the agency-owned laptop computers, auditors noted\n       instances where NRC Form 119s were incorrectly completed. In\n       one example, forms were not revised when laptops were\n       transferred between staff and/or program offices. In another case,\n       the person listed as being the receiver of the property was\n       incorrect. In light of recent agency reorganizations and continuing\n       office moves, it is prudent to keep accurate records for\n       accountability and tracking purposes.\n\n             Contact Information Not Affixed to Agency-Owned Laptops\n\n       More than half (29) of the 49 laptops surveyed did not have contact\n       information providing an NRC phone number or return instructions\n       affixed to either the laptop or the laptop case. Although this is not\n       an agency requirement, 20 surveyed laptops did have a contact\n       information sticker. During fieldwork, auditors learned of an\n       instance in which a lost laptop was successfully returned because\n       the finder contacted the agency via the information provided on the\n       contact sticker.\n\n\nV. AGENCY COMMENTS\n\n       At an exit conference on September 23, 2008, NRC officials agreed\n       with the report contents and provided editorial suggestions, which\n       OIG incorporated as appropriate.\n\n\n\n\n                                 10\n\x0c                                                  Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nVI. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1. Develop agencywide policy and procedures regarding the\n           implementation and monitoring of security controls, especially\n           concerning virus protection and operating system updates, for\n           all agency-owned laptop computers.\n\n        2. Communicate the policy in recommendation 1 to the agency\n           when initially complete. Send periodic reminders of the policy\n           requirements, as well as detailed instructions on how to fulfill the\n           requirements.\n\n        3. Provide mandatory formal training to all IT coordinators and\n           property custodians on how to update security controls on\n           laptops.\n\n        4. Develop a process for verifying that all required security controls\n           are implemented on agency-owned laptops.\n\n        5. Develop a protocol to facilitate the efficient and routine updating\n           of agency-owned laptops located at headquarters.\n\n\n\n\n                                   11\n\x0c                              Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              12\n\x0c                                               Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nSCOPE AND METHODOLOGY\n\n       Auditors evaluated the agency\xe2\x80\x99s management of agency-owned\n       laptop computers, including the effectiveness of NRC\xe2\x80\x99s security\n       policies for its laptop computers. This audit was initiated in\n       response to a request from the agency\xe2\x80\x99s Chief Information Officer\n       and was included as a planned audit in the fiscal year 2008 Office\n       of the Inspector General Annual Plan. Additionally, OIG used this\n       audit to revisit issues related to laptop management and security\n       that were identified in OIG audit report OIG-05-A-18, issued on\n       September 22, 2005.\n\n       The OIG audit team reviewed relevant Governmentwide criteria,\n       including Federal requirements governing Government-owned or\n       leased computers as noted in Federal Desktop Core Configuration\n       and Executive Order 13103, Computer Software Piracy. National\n       Institute of Standards and Technology best practices pertaining to\n       laptop security and management were also considered. Auditors\n       reviewed agency-specific guidance, including MDs 12.5, NRC\n       Automated Information Security Program; 12.6, NRC Sensitive\n       Unclassified Information Security Program; and 13.1, Property\n       Management. Agency-specific best practices, including those listed\n       on the Network Operations and Customer Service Branch Web site,\n       and the Computer Security Awareness Self-Study were reviewed,\n       as well as general prudent business practices. Previously issued\n       OIG audit reports addressing issues related to laptop management\n       and security management practices were also considered.\n\n       Auditors interviewed designated agency IT coordinators and\n       property custodians, an Information System Security Officer, and\n       laptop owners in six NRC headquarters offices, four NRC regional\n       offices, and two resident inspector sites.\n\n       Auditors surveyed 49 agency-owned laptops selected from the\n       2008 official agency inventory to determine (1) whether laptops are\n       managed in accordance with Federal and agency standards and\n       best practices, and (2) the consistency by which agency-owned\n       laptops are managed and maintained across offices. To determine\n       which laptops to survey, auditors requested a current official\n       agencywide laptop inventory from the Office of Administration.\n       Laptops were selected randomly from the list. When these laptops\n       were unavailable, auditors selected alternative laptops from another\n       randomly generated list of alternatives taken from the official\n       agency laptop inventory. Various headquarters, regional, and\n       resident inspector site laptops were included in the survey. The\n       results of each survey were documented on an OIG-created\n\n\n                                13\n\x0c                                        Audit of NRC\xe2\x80\x99s Laptop Management\n\n\n\nchecklist, which was developed in accordance with Federal and\nagency requirements, standards, and best practices pertaining to\nlaptop management. Auditors analyzed the survey results to\ndetermine whether NRC is appropriately and consistently managing\nthe laptops it owns.\n\nThis work was conducted from March 2008 through June 2008 in\naccordance with generally accepted Government auditing\nstandards. Those standards require that the audit is planned and\nperformed with the objective of obtaining sufficient, appropriate\nevidence to provide a reasonable basis for any findings and\nconclusions based on the stated audit objectives. OIG believes\nthat the evidence obtained provides a reasonable basis for the\nreport findings and conclusions based on the audit objective. The\naudit work was conducted by Beth Serepca, Team Leader;\nTerri Cooper, Audit Manager; and Jaclyn Storch, Management\nAnalyst.\n\n\n\n\n                         14\n\x0c"